Feeds

Paper clip attack skewers Chip and PIN

Tapping up

Choosing a cloud hosting partner with confidence

Updated UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions.

Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a small recording device.

This basic kit enabled University of Cambridge Computer Labs researchers to record data exchanged between a card and the device's processor without triggering tamper-proofing mechanisms. The devices analysed by the team were borrowed from merchants, but they can also be purchased online for as little as $20.

In a technical paper (PDF) the researchers explain that in both PIN entry devices they examined the secure storage for cryptographic keys is well protected. However, in each case it is possible to tap the data line between the card and the PIN Entry device's processor. The data exchanged on this line is not encrypted so the problem becomes one of getting physical access to the link and of hiding this covert snooping.

The Ingenico PED includes 1mm holes that provide access to a printed circuit board using a bent paper clip. "This can be inserted through a hole in the plastic surrounding the internal compartment, and does not leave any external marks," the Cambridge researchers explain. Handily the Ingenico PED provides a concealed compartment designed for the insertion of optional SIM-sized cards to expand its functionality. The compartment is not intended to be tamper-proof and provides a concealed compartment to hide the wiretap, if not direct access to the circuit board.

The Dione PED does not provide a concealed compartment to hide the wiretap, but is still vulnerable. The Cambridge researchers drilled a 0.8mm hole from the rear, through which they inserted a 4 cm needle into a flat ribbon connector socket. A thin wire connection from this link and interfaced by a small board could be used to send entered data to a laptop.

The Cambridge researchers conclude that the attack is far easier to pull off than the banking industry claims.

What should have required $25,000 needed just a bent paper clip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice. A small FPGA or microcontroller board with some non-volatile memory can easily fit inside the Ingenico PED’s compartment and record transaction details without the cardholder’s knowledge, while a wire routed from the back of a mounted Dione PED to a recorder under the counter will not be detected unless the cardholder conducts a very close inspection – and knows what to look for.

The recording circuit can be very small and either battery operated or attached to the PED’s power supply; with a full transaction requiring about 1 kB of storage, even a small memory can record thousands of transactions. Detecting such a tap from within the PED is extremely difficult, since high input impedance probes do not significantly distort signals, and proper termination suppresses reflections.

"This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED," the Cambridge researchers note.

A demo of the attack (video here) featured on UK news programme Newsnight on Tuesday.

It gets worse. To ensure backward compatibility, PIN entry devices read data on magnetic strips, as well as on chips on newer credit cards. Hackers tapping into the link between a card and the processing device could get all the data needed to make a cloned card. Add in the corresponding PIN, and fraudsters could withdraw cash at the many ATMs overseas not upgraded to read chips and therefore solely reliant on easily-fakeable magnetic stripes.

Tampered PIN entry devices have already been used for fraud. Last December, £80,000 was stolen from 1,500 people in Leicestershire when crooks cloned their cards using a doctored device in a local petrol station.

The process to determine PIN reader security is substandard, the Cambridge team argues. Evaluation should be more open and defective devices should be refused certification, they say..

The Cambridge Chip and PIN scenarios pose little threat in the real world, according to APACS, the banking association which spearheaded the introduction of Chip and PIN in the UK. "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out," a spokesman said.

Ross Anderson, a member of the research team and professor of security engineering at Cambridge, said: "The lessons we learned are not limited to banking. Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."

The Cambridge team presents its findings in full in May at the IEEE Symposium on Security and Privacy conference in Oakland, California. Anderson's colleagues are Saar Drimer and Steven Murdoch. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.